1. 5

    Ubuntu breaking itself with updates while still being less secure than openbsd is what made me switch to Openbsd stable on my laptop. Everything just works, even months later, and was surprisingly easy to setup (Openbsd was a breeze for me compared to arch linux).

    1. 1

      Going from ubuntu to openbsd! What a jump haha How was the transition? I always imagine it very hard to make.

      1. 5

        I have been all over the place … something like ubuntu -> arch -> fedora -> debian -> ubuntu -> debian -> ubuntu -> openbsd.

        I just practised installing openBSD once in a VM to make sure I could get i3 working and after that there was no problem. The older I get, the more I appreciate things that don’t change under your feet.

        1. 5

          The older I get, the more I appreciate things that don’t change under your feet.

          So, there’s this OS called “Debian”… :-)

          1. 9

            I tried updating a Debian stable machine that I had not touched for six months. it blew up in my face. I’ve never had that happen with OpenBSD.

            ever

            1. 3

              As a counterpoint, I’ve had Debian machines that have gone through 10+ years of upgrades without problem. For example, i’m currently in the process of retiring a VPS that was first installed in 2005 (it’s only being retired as it’s still running a 32-bit userland, has become too much of a snowflake and needs to be rebuilt using configuration management tools).

              That said, I’ve never had a problem with the OpenBSD upgrade procedure either :)

              1. 1

                Agreed, debian stable is ok if you stick in the same stable version. Upgrading between stable releases can be… problematic.

                With openbsd its mostly just a matter of reading release notes to see what config files need to be looked at. I’ve never had a linux distro be as straight forward as openbsd in this regard. And that is why it runs all my routing duties.

                1. 1

                  Regular security or point release upgrades never break, so I imagine you’re talking of an upgrade to a new major release. Do you remember which version you’ve tried to upgrade to and what went wrong exactly?

        1. 5

          Is there any equivalent scheduler tool for Free/OpenBSD? To be honest, I like the ideas of kubernetes, but it seems over engineered (for what I need it for anyway).

          I was thinking perhaps https://www.nomadproject.io/ would work since it doesn’t depend on docker or containers, but I haven’t tried it yet. The main feature I care about is zero downtime upgrades (Perhaps I should have just used erlang instead of go).

          1. 4

            Perhaps I should have just used erlang instead of go

            We use k8s at work, and while it works well for us I very much get the feeling that it’s the Erlang version of Greenspun’s tenth law.

            1. 3

              I’ve been using nomad for go services and it works awesomely well. We use it with Docker only, BUT we tried without it and it worked perfectly too (still sticking to docker since we have other stacks and it’s nice to have a common interface). You definitely can try it very quickly by setting up consul and nomad in dev mode. In addition if doing HTTP, I’d advise you to check ebay/fabio that works just out of the box with Consul. I didn’t try but I bet those 3 work perfectly fine on BSD.

              1. 2

                I want to link nomad but there is a severe lack of “drivers” – if I want to use rkt or docker containers, I’ll just use k8s (and get cool stuff like cilium and a bunch of [usually outdated] documentation)

                1. 1

                  What drivers are missing from your perspective? especially which ones that you can’t easily accomplish with either exec, or raw_exec?

                2. 2

                  We use Nomad, and it works well for us. It doesn’t depend on Docker, has drivers for exec, raw_exec, rkt, docker, JVM, etc). It’s pretty easy to turn up and maintain as well, which is a HUGE win over k8s.

                  Nomad supports zero-downtime upgrades, it even allows you to push N instances of the new version into production, while keeping X copies of the old version running, and then manually approve the new version, and then it will turn off the X old copies and finish turning on the new version.

                  1. 2

                    Ed Schouten ported Kubernetes to FreeBSD… with CloudABI apps. So of course it’s possible to write a runner for jails too. When I finally get around to writing a new cool “Docker-ish-but-without-the-suck-parts” jail management tool, I’ll probably write that as well :D

                    But yeah, Nomad sounds very good indeed, much less over-engineered.

                  1. 1

                    What are the main differences between OpenBSD and FreeBSD? I’ve been using FreeBSD for some time now and have had very few issues, although the Intel graphics driver dies every few weeks forcing a restart. That said, I need to upgrade to 11.1.

                    1. 3

                      They are very different. So you’d need to give a bit of context for that question.

                      But maybe it’s worth mentioning how different they are. NetBSD and FreeBSD started out nearly 24 years ago. They developed into rather different directions, had very different focuses (and no, that’s not just NetBSD working on a toaster). Somewhat over ten years ago OpenBSD forked from NetBSD. Today both operating systems are very different from each other.

                      One might say that code wanders between the project, which is true, but one has to keep in mind that this is also true for Linux and BSD. While this is harder, due to licensing, a lot of the developers still are willing to give permissions in regards to code. However, the kernel isn’t the most obvious thing to users anyway, in most cases, other than “which hardware” and “which file systems” are supported, but even there there is FUSE.

                      In other words, they are about as different as two Unix derivatives can get, but also not more than that. They have a somewhat different community and culture, but also not more different than different open source operating systems.

                      What you will notice is that OpenBSD is a bit slower and a bit more focused on simplicity. Even though the performance part depends a bit on use cases.

                      I’d hugely suggest to try it out though. Like different programming languages it can extend your horizon. At least for me trying out the different BSDs back in 2005 and the following years did. They are all general purpose operating systems, so don’t be blended by the typical categorization of saying that OpenBSD is fast, NetBSD is portable and FreeBSD is performant and has a lot of divers (even though that’s probably more true for DragonFly BSD these days).

                      What is rather amazing about all of them is how incredibly much each of them manages to get done, despite having a comparatively (compared to Linux) small amount of committers. They all have quite a few edges over other, similar projects, have research going on, while still remaining perfectly usable general purpose operating systems.

                      1. 4

                        Somewhat over ten years ago OpenBSD forked from NetBSD.

                        Somewhat over ten years being over 20 years ago.

                        1. 5

                          look, for some of us, thirty years ago will always be the 70s.

                      2. 2

                        FreeBSD and OpenBSD are similar in that they’re both direct descendants of Unix, by way of 386BSD and 4.4BSD-Lite. Compared to Linux they are more conservative with design decisions, and have much better documentation quality.

                        FreeBSD is the larger project. They have more manpower and more code. Personally I think of them as a more conservative Debian. Features include: ZFS support in the kernel, the bhyve hypervisor, a Linux binary compatibility layer, and support for Wine and Steam. Nvidia graphics cards are well-supported. They also care a lot about performance: their TCP/IP stack is one of the best, and they forked the pf firewall to add multicore support. They also have the largest ports tree. Netflix uses FreeBSD for many of their servers.

                        OpenBSD is much more aggressive about simplicity of implementation. Dead or broken code is deleted from the tree. They’ve developed a reputation for security but it seems to derive from simplicity of implementation, which is their primary concern. When a legacy component seems broken, they’re not afraid to refactor or reimplement it: LibreSSL, doas, and pledge are all OpenBSD success stories. The vmm/vmd hypervisor is up-and-coming. While not as far along as bhyve, it is capable of running Linux guests. OpenBSD has also taken a hardline stance against blobs in the kernel, which means AMD (with the open-source radeon driver) is a better bet than Nvidia. OpenBSD is arguably the best BSD for laptops, assuming you have supported hardware.

                        Capsicum vs Pledge is a great example of FreeBSD vs OpenBSD. Both projects attempt to achieve the same thing: restrict program permissions so they do less damage if misbehaving. Capsicum is a complex capabilities-based system which is very sophisticated and took years to write. Adjusting programs to use capsicum is usually hard work. In contrast, pledge is a simple privilege-dropping syscall developed in a few months. Adding pledge to a program is often just a 2-line diff. [Pledge slides]

                        1. 1

                          Lots of insights, but a few questions came up.

                          OpenBSD is arguably the best BSD for laptops

                          Why? One could argue that both DragonFly and MacOS might be better. But then it is for hardware reasons, which you seem to have excluded from that statement.

                          Netflix uses FreeBSD for many of their servers.

                          Do you know if they use it outside of Open Connect?

                          their TCP/IP stack is one of the best

                          Measured by what?

                          1. 1

                            DragonflyBSD laptop support seems rather limited. MacOS has BSD code in userspace but I wouldn’t really call it “a BSD”. Even Windows had BSD code in userspace.

                            Your questions about Netflix and the TCP/IP stack are related: they chose it for performance. Netflix probably has servers that aren’t FreeBSD, but they definitely use it for their content delivery.

                            When it comes to raw performance, especially in terms of system load per packet, nothing beats FreeBSD. This has been true for as long I can remember.

                            https://www.quora.com/Why-did-Netflix-choose-FreeBSD-over-Linux

                        2. 2

                          You need to upgrade to -CURRENT :)

                          OpenBSD is focused on security and simplicity. It has a ton of exploit mitigation features (though there’s HardenedBSD, a FreeBSD fork with a lot of these). OpenBSD lacks a lot of features a FreeBSD power user would be used to. No jails, no DTrace, no ZFS… going from a modern CoW FS with snapshots and stuff to old UFS/FFS makes me very sad.

                        1. 1

                          I have one (erm, three) and it is wonderful. Do I wish it was thinner and had like usb-c charging? Sure.

                          1. 2

                            If you don’t mind my asking, how much does it weigh, and what’s the battery life you get?

                            4W draw at 32Wh means he could get something like 8h battery life – which is very attractive to me. I currently use a MacBook predominantly for the massive battery performance, but also because it’s so light, but I might trade a little weight and a little battery for a nice keyboard and good Linux support.

                            1. 4

                              FWIW if you can stand a 16:9 display, an official Lenovo Thinkpad T470 has a cheap battery upgrade option that doubles the battery life to 16 hours. 96Wh total (24 internal battery + 72 external). 3.9 pounds with the bigger battery. https://www.laptopmag.com/reviews/laptops/lenovo-thinkpad-t470

                              Compare with MacBook Pro 13” 3.02 pounds, 15” 4.02 pounds.

                              1. 3

                                I’m using a 12” MacBook, not Pro: i7 16GB ram it’s more than powerful enough for what I need to take on the road, but that keyboard. Ugh.

                                4lbs sounds like too much to me, but wow 16 hours of battery sounds incredible.

                                1. 1

                                  IIRC, the X270 can get quite a bit more, and is even lighter.

                                  FWIW, I’ve tried the 12” MacBook keyboard in store and didn’t have many problems with it; though that’s not extended use. I’m coming from a ThinkPad X201, for reference. The bigger loss is no TrackPoint.

                                  1. 1

                                    huh. I’ll look into that as well. Thanks.

                                  2. 1

                                    The new 12” MacBooks have the second gen butterfly keyboard which is much better.

                                    1. 2

                                      It’s one of the new ones (i7, 16GB ram, etc)

                                      Keyboard is ok but the low travel is annoying for extended use.

                                      1. 1

                                        I’m one of those weird people who vastly prefers v1 of that keyboard compared to v2.

                                  3. 1

                                    No idea. I have but old, OEM batteries. Have not yet found newer after market ones.

                                1. 3

                                  The link to 51nb just took me to a Facebook captcha page. Is the “order form” basically post on Facebook and send money and wait?

                                  1. 4

                                    As you are an OpenBSD developer, I’m happy to have one smuggled to you via hackathon. I tried to do that for bryan without success.

                                    But yes, the fb page puts you in touch with jacky who takes your money and ships you things six weeks later.

                                    1. 5

                                      Oh, thanks, but I’m pretty happy with the X1. The new keyboard suits me.

                                      I was mostly curious. And it’s somewhat funny. All the failed hardware kickstarters with super polished demo videos that never ship, and here’s “dude with a spreadsheet” getting things done.

                                    2. 1

                                      this is the link to the batch that is reviewed, don’t use it, it’s old https://docs.google.com/forms/d/e/1FAIpQLSeFFHJnlP5oITwFJGAIUaZj0ndVULMS_p4JnpbP3OITV75HdA/viewform?c=0&w=1

                                    1. 2

                                      I use fastmail (generally like it) and Route53 (only because feature rich anycasted services dont have ‘individual’ plans, and others with smaller plans dont have a considerable anycasted reach. Route53 is the in-between for me)

                                      Everything else I use is self hosted.

                                      1. [Comment removed by author]

                                        1. 9

                                          Linux certainly has the corporate backing(1), popular mindshare, and lots of workforce, but there is something about the general cohesive feeling of BSD systems that some people really like. I do at least!

                                          I consider the BSDs as more “cathedral” while Linux is more “bazaar”. Linux is also a kernel with a base GNU user-space (written by other people), and now systemd, all packaged by a distro. In BSD-land the base user-space is released by the same team as the kernel. So it is different, and some people enjoy that difference.

                                          If you were a FreeBSD user, you may also wonder why use DragonFly? As a FreeBSD user, I love that DragonFly is trying new things and focusing on cluster computing and high performance. Diversity is great!

                                          (1): something like 90+% of contributions to the Linux kernel are apparently corporate sponsored

                                          1. 4

                                            Why can’t someone just implement a Linux patch to bring that level of SMP to Linux?

                                            Software is soft so yes, someone could do this. But it’s not like a 10 line patch, it’s a fairly large architectural change in how the kernel works. This is the cause of the DragonFlyBSD and FreeBSD split, the FreeBSD leads didn’t want to make those changes.

                                            So it would be a lot of code to change plus the political battle to get people into it.

                                            1. 2
                                              1. 2

                                                my use case is I can’t use OpenBSD and I have a lot of cores = DragonflyBSD. with vmm I don’t even have to mess with FreeBSD and bhyve ever again!

                                                1. 2

                                                  what is my usecase for such an operating system?

                                                  I think only you can answer that. What is your usecase for Linux or the distribution you use?

                                                  Why can’t someone just implement a Linux patch to bring that level of SMP to Linux?

                                                  I think in this case it’s largely about design decisions and how hard migrating to new code is. There is just more than way to do many areas of IT. Operating Systems, a bit like programming languages differ mostly in those different design decisions, philosophies and user interface (or syntax).

                                                  Have you seen this post by Matt Dillon yet? I am sure this could be done in Linux, even in a more Linux-y way. That doesn’t mean it will be done. In the end that might not even be a bad thing, as going in different directions when developing software sometimes leads to an overall worse system, where you run into bugs, have a lot of complexity, have to make all sorts of compromises, etc.

                                                  Again comparing this to programming languages might make this more clear, since philosophies and design decision are more dominant there, even in general purpose languages, where in general purpose OSs these seem to be exceptions (OpenBSD for example has a strong emphasis on what it considers good). When it comes to programming languages you see JavaScript and Perl as two programming languages that took ideas and philosophies from pretty much everywhere else - Perl did that more outside of stdlib though thinking about Perl Moose. At the same time we see languages like Go, Python and some functional languages that try to keep certain philosophies and opinions dominant. Note that neither programming languages nor operating systems prevent doing it different however, people are still opposed.

                                                  In the Linux world this actually is a big part of why patch sets exist. They both show it can be done, and sometimes still won’t be taken into to main source repository, for various reasons, technical and philosophical - and that despite Linux likely being way more open minded about ideas that might or might not be forgotten about in just a few years.

                                                  1. 1

                                                    Why can’t someone just implement a Linux patch to bring that level of SMP to Linux?

                                                    SMOP!

                                                  1. 1

                                                    why are all the infosec people I follow charitably saying this is theatre at best and doesn’t do anything for any kind of attack?

                                                    1. 8

                                                      The most common negative response I have seen is that this can be bypassed if an attacker knows the addresses they will write their rop chain to. This is true, but it is not the case that all attacks know the addresses where the rop chain goes. The @grsecurity response is interesting, since they point out that this idea has been seen before (quite some time ago - in 1999 and 2003). If you have heard other specific criticisms, then I’d be interested to hear them.

                                                      The next iteration of this doesn’t have to use the stack pointer - it can use something stronger. Step 1 is getting the ecosystem working with mangled return addresses. For this, the stack pointer is cheap and easy.

                                                    1. 3

                                                      iirc, the first time they did this was because OpenBSD was “randomly” chosen. I am surprised they’ve done it again. you’d think Google would donate something seeing how a not trivial part of the Android code base uses OpenBSD code.

                                                      and, of course, OpenSSH.

                                                      1. [Comment removed by author]

                                                        1. 12

                                                          The scale of the problem they solve is a lot larger than what most people will ever work on. The fan-out nature of the product is challenging enough, but there’s more.

                                                          The 140 chars thing is inconsequential. It would be the easiest thing to change.

                                                          1. 0

                                                            The 140 chars thing is inconsequential. It would be the easiest thing to change.

                                                            Agree with everything until this part. I think it’s very likely that there is some critical RDBMS with a varchar(140) column that’ll make “easy” an actual nightmare with people waking up in cold sweats.

                                                            1. 6

                                                              140 characters are counted as 140 Unicode grapheme clusters, so the byte size is already potentially a lot larger and variable.

                                                              1. 1

                                                                True. In MySQL you’d likely set the collation to utf-8 or whatever. That doesn’t make doubling, or eliminating the character limit all together any less difficult though?

                                                                1. 3

                                                                  In MySQL you’d likely set the collation to utf-8 or whatever.

                                                                  Fun fact: you’d want the “whatever” https://medium.com/@adamhooper/in-mysql-never-use-utf8-use-utf8mb4-11761243e434

                                                                  But here’s the rub: MySQL’s “utf8” isn’t UTF-8.

                                                                  The “utf8” encoding only supports three bytes per character. The real UTF-8 encoding — which everybody uses, including you — needs up to four bytes per character.

                                                                  MySQL developers never fixed this bug. They released a workaround in 2010: a new character set called “utf8mb4”.

                                                                  1. 2

                                                                    It’s things like this that inspire me to hold PostgreSQL tighter to my bosom.

                                                              2. 2

                                                                A few years ago they had a bug for a day or so which allowed much longer tweets, so I doubt they have this hard limit anywhere except for the validation code.

                                                            2. 4

                                                              Twitter is all about pushing ads and trying to find ways to monetize their users. They have over 3k employees, and I have no idea WTF they’re doing to be honest. The site has terrible performance, and it’s buggy as hell. If you look at the source for the page, it’s downright nightmarish. They keep adding shit like moments that nobody wants or ever asked for, while ignoring actual user requests like the ability to edit tweets.

                                                              I started using Mastodon recently, and it’s just a better experience all around. The core functionality of Twitter is not that hard to implement,. If you’re not trying to monetize, then you can provide a much better experience for the users.

                                                              Personally, I’d really like to see the internet go back to being a distributed system where anybody can run a server and interact with people, as opposed to current centralized model where a few sites dominate all the social media.

                                                              Running your own servers is cheaper and easier than ever. You can get a Digital Ocean droplet for 5 bucks a months nowadays, and the prices are only going down.

                                                              Meanwhile, setting up and managing apps like Mastodon has become much easier as well thanks to Docker. Run the container that the maintainer packages, and you can get it up and running in minutes.

                                                              I think Mastodon is a great example that this model absolutely does work today. I also think that it’s more robust than the startup model.

                                                              Mastodon is open source, and it will be around as long as people want to use it. The features get added based on user demand, as opposed to demand of investors. Anybody can run their own node, and set it up any way they like. No central entity decides how Mastodon is used, or what it’s used for.

                                                              This is what internet was meant to be. We took a terrible detour with walled gardens like Facebook and Twitter, but it doesn’t have to be that way.

                                                              1. 1

                                                                If you’re not trying to monetize, then you can provide a much better experience for the users.

                                                                There are tons of shitty FOSS projects out there. I am an open source enthusiast, my job title is literally “Open Source Software Engineer.” I love FOSS software. But the idea that it’s better because you’re not trying to make money is just not one I’d come close to making. I love using Linux on the desktop but it’s way worse for most users than Windows or MacOS. Open source is great because it’s about Freedom, not because it provides a superior user experience. Sometimes it does, sometimes it doesn’t. It really depends on the product and what you’re using it for.

                                                                1. 2

                                                                  This. Often proprietary is better quality because more man hours are spent on it. However, despite this I will use Free Software over proprietary any day because it gives me something proprietary can never give me, Free Software gives me freedom.

                                                                  1. 1

                                                                    Of course, open source is not a guarantee that you’ll end up with a great piece of software. However, I’m talking about the specific difference in motivation for Twitter and Mastodon developers. Personally, I find Linux far preferable to Windows as a desktop as well, but MacOS is definitely a lot more polished than Linux.

                                                                2. 3

                                                                  they make a considerable amount of money. is it net profit? no. mostly because they have an insane head count.

                                                                1. 1

                                                                  seems like a trivial amount – why doesn’t the PSF pay for half if not all of that??

                                                                  1. 5

                                                                    Because no one has written a grant application to get the money. I’m also not sure that the PSF hands out grants that big for code development efforts.

                                                                    1. 2

                                                                      Biggest grant I can find by the PSF is 10k https://www.python.org/psf/records/board/resolutions/

                                                                      1. 2

                                                                        I don’t imagine them really wanting to give people a reason to change the defacto standard python away from one they control.

                                                                        1. 5

                                                                          The PSF doesn’t control CPython, and doesn’t care which Python you use, as long as you use Python :-)

                                                                          (Source: Former PSF board member)

                                                                          1. 1

                                                                            I stand corrected, thanks!

                                                                      1. 1

                                                                        QUIC is cool, but is updating TCP really impossible? Multipath TCP is a thing, and Apple is already using it for Siri.

                                                                        1. 4

                                                                          MTCP does not solve the stalling flow problem (head of line blocking) due to packet loss and waiting on that retransmit to get through.

                                                                          QUIC also has a 0 (zero) RTT cryptographically secure(ish) HTTP request mode; akin to the whole TCP 3 way handshake, SSL handshake and HTTP request rolled up into a single compact UDP packet so the request is serviced immediately by the server.

                                                                          1. 5

                                                                            QUIC annoys me, because it’s a massive layering violation. It bakes in HTTP, when all I want is a better TCP – Something like CurveCP, which has zero roundtrips, and does encryption and authentication in one go.

                                                                            1. 5

                                                                              Guess you hate BTRFS and ZFS too?

                                                                              I don’t think Google designed QUIC for you, so kinda irrelevant what you want or what I want :-)

                                                                              Besides you said you have CurveCP so what is the problem?

                                                                              CurveCP violates ‘layering’ in the same way that QUIC does, so I am not sure what you mean here? Nothing about QUIC prevents you sending non-HTTP traffic over it. QUIC is more a DCCP+DTLS+TLSv1.3-RTT0 rolled into one; done outside of the IETF initially as it was a prototype that no-one knew what would work?

                                                                              What would you have done differently to avoid layering violation and to make your entire service (inc browser support) 0RTT in a span of months?

                                                                              If you wanted to gripe about something you should probably grumble about DCCP/SCTP, but then this ignores the sane technical reasons QUIC (and CurveCP) violate these layers is because of all the god awful middleware that make up the routing hops.

                                                                              If you have the time, read about RINA and also the fun presentation by John Day title Shortening the Dark Ages of Networking (.mov)…it might sway your opinion to maybe that layering is actually sometimes the problem. :-)

                                                                              1. 1

                                                                                maybe long-term public keys could be a replacement for ip numbers.

                                                                                1. 1

                                                                                  What are your thoughts on routing and what does a public key improve on over an 2^80 IP block allocation?

                                                                                  1. 1

                                                                                    If it’s all public keys, encryption is the default (although with tiny keys).

                                                                                    1. 1

                                                                                      What advantages does this have over just setting a reverse DNS lookup record and including the public key in something like a TXT RR or maybe some formalised X509 RR?

                                                                                      We could do this with IPv4 today, but as no one is I am not really sure what this would solve over host transport IPsec?

                                                                                      Plus routing is the hard part of a protocol…not how many bits are in the address or if you slip something cryptographic in there, surely?

                                                                                    2. 1

                                                                                      Definitely not thought through: but public key can be self allocated and works well in a encrypt-by-default world. You’d need something like dns …

                                                                                    3. 1

                                                                                      networking ASIC designers would like to have a few words with you…

                                                                                1. 2

                                                                                  nvi v1.* is horribly buggy. There is nvi2

                                                                                  https://github.com/lichray/nvi2

                                                                                  I do wish it could be ported to more platforms.

                                                                                  1. 1

                                                                                    I am not much of a nvi power user. what kind of bugs are there? also, thank you for sharing nvi2 – I’d never heard of it until now.

                                                                                    1. 1

                                                                                      nvi2 is mentioned in the linked post :^)

                                                                                  1. 2

                                                                                    where do I know algebraic effects from? as in, where is it applied in CS topics?

                                                                                    1. 7

                                                                                      Here, basically. :) They’re an alternative to monads, formally a weaker (less general) abstraction, which therefore optimizes better. Specifically, unlike a monad, an algebraic effect can’t affect flow control except in certain very specific ways, which means there’s no explicit AST-like “backbone” of your code at runtime. So they can encapsulate side-effects (the State monad), but can’t encapsulate novel programming paradigms such as Prolog-style constraint-logic programming (the List monad).

                                                                                      1. 4

                                                                                        I’m pretty sure algebraic effects can handle Prolog-style “search, accumulate successful results, backtrack on failure”. Check the slide titled “Eff: Dynamic Effects (2)” here.

                                                                                        1. 2

                                                                                          Interesting… I am not sure I understand it, I’d need to play around a bit in a repl or something.

                                                                                    1. 4

                                                                                      My proposal: Bitcorn, the first digital currency backed by physical kernels of corn. This overcomes the common complaint from internet commenters that bitcoin “isn’t real”.

                                                                                      1. 5

                                                                                        and burn down the crops in an effort to control inflation :D

                                                                                        “Thank you. Since we decided a few weeks ago to adopt the leaf as legal tender, we have, of course, all become immensely rich.”

                                                                                        :The Restaurant at the End of the Universe, Douglas Adams RIP

                                                                                        1. 2

                                                                                          Can I use gold to back this coin instead of corn at the current market corn/gold exchange rate? It’s just easier for me to store gold than corn.

                                                                                          1. 1

                                                                                            How do you link physical objects to a private key with a decentralized certainty/authority?

                                                                                            This ear has this private key…..says who?

                                                                                          1. 2

                                                                                            Super clear and complete! I would just have liked some links or tips to harden this a bit, if the author has some references, would be great!

                                                                                            1. 13

                                                                                              It’s OpenBSD, so just relax. Hardening is built-in and enabled by default.

                                                                                              1. 3

                                                                                                While true, we mustn’t become complacent.

                                                                                                1. 4

                                                                                                  Thats why you keep your OpenBSD installs regularly updated.

                                                                                                  1. 2

                                                                                                    But you are running a vpn service with a weak cipher?

                                                                                                    1. 1

                                                                                                      the defaults are depreciated or compromised? news to me.

                                                                                                      the only reason “weaker” ciphers are included is for backward compatibility with end points that support nothing else.

                                                                                                      1. 1

                                                                                                        I’m referring to following the guide & deploying a service with modp1024. Not the defaults in OpenBSD.

                                                                                                2. 2

                                                                                                  While it’s a decent configuration, doing IKEv2 with the chacha20-poly1305 ciphers as described here is more secure in my opinion. That being said it won’t work for clients that don’t have the cipher baked in as it violates the RFC (in fact I think only OpenIKED has support).

                                                                                                  1. 4

                                                                                                    Indeed, you have to opt for the insecure modp1024 option with OS X clients, because with higher settings it’s not possible OS X client to connect using systems prefs client as described in the guide. (issue is on the OS X side)

                                                                                              1. 1

                                                                                                Isn’t IPsec reportedly broken? There’s nothing official of course, but slides from NSA are leaked: http://www.spiegel.de/media/media-35529.pdf

                                                                                                OpenVPN looks much better.

                                                                                                1. 2

                                                                                                  By what metric does OpenVPN look better?

                                                                                                  1. 3

                                                                                                    Security, flexibility. It’s also far simpler. Read e.g. https://www.schneier.com/academic/paperfiles/paper-ipsec.pdf

                                                                                                    1. 2

                                                                                                      while I generally agree simpler often leads to more secure, that paper is from 1999. the IPsec code in OpenBSD is widely used, well tested, and has not suffered the plethora of CVEs the OpenVPN code base continues to suffer.

                                                                                                      to each their own, but I would (and do) run base OpenBSD code for VPN duties before anything else, including OpenVPN.

                                                                                                      1. 2

                                                                                                        It’s not about the security of OpenBSD’s IPsec implementation vs OpenVPN, but the security of IPsec itself vs OpenVPN. So not about implementation, but the standard itself.

                                                                                                1. 4

                                                                                                  I am trying to, and retrying, and still hoping I can eventually, boot strap OpenStack from baremetal.

                                                                                                  The options are many and the documentation… maddeningly not accurate or useful. Makes me love OpenBSD documentation all the more.

                                                                                                  1. 6

                                                                                                    c-cube does a lot of great work in Ocaml. I’m a user of his stdlib replacement, containers, which has most of the functionality I want and more lightweight than Jane St’s Core Suite.

                                                                                                    1. 4

                                                                                                      Thank you for this comment, I took a look c-cube’s other repositories and they’re chock full of good stuff.

                                                                                                      You should submit some of them! @pushcx doesn’t need anymore sweet Internet points. ;-)

                                                                                                      1. 3

                                                                                                        Seriously. I have >150 stories in my backlog right now. You/apy should submit one ocaml repo a week, get that tag kicking.

                                                                                                      2. 3

                                                                                                        Also he is very active on IRC and open for suggestions which is fantastic if you don’t know how something works or have suggestions for features.

                                                                                                        1. 1

                                                                                                          which server & channel?

                                                                                                          1. 3

                                                                                                            #ocaml on Freenode.

                                                                                                      1. 4

                                                                                                        At work I’m making a tool for distributing traffic between multiple datacenters. DNS and anycast seem like blunt tools. Thinking of supporting utilizing H2 alt-svc records. They are like a H2-level CNAME.

                                                                                                        1. 1

                                                                                                          They are blunt, but ultimately how traffic and requests are steered.

                                                                                                          What is H2?

                                                                                                          1. 1

                                                                                                            HTTP/2

                                                                                                            It has the concept of a an alt-svc record which is a bit like a redirect or CNAME, but transparent to the browser. Your url bar continues to say https://awesome.com/ even though awesome.com sent an alt-svc record and sent you to https://edge-1.awesome.com/

                                                                                                            It’s not really an alternative to a load balancer, but could be used to shed load that anycast was distributing unequally.